Commit Graph

15388 Commits

Author SHA1 Message Date
Yuri Chornoivan
a0e0d57a42 Translated using Weblate (Ukrainian)
Currently translated at 98.5% (4671 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Weblate
3c7fe6c49d Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
4185578705 Translated using Weblate (Finnish)
Currently translated at 7.7% (362 of 4672 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Weblate
ac2c3de889 Update translation files
Updated by "Update LINGUAS file" hook in Weblate.

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Florence Blanc-Renaud
cca7a7cd77 ipa man page: format the EXAMPLES section
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.

Add .TP (tagged, indented paragraph) before each example.

Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-30 15:15:50 +02:00
Rob Crittenden
dbec885cb0 Move client certificate request after krb5.conf is created
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.

This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.

Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.

Fixes: https://pagure.io/freeipa/issue/9246

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-09-29 16:40:19 -04:00
Carla Martinez
55ef0008b8 Update API and VERSION
The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Carla Martinez
a3b4b476b9 webui: Set 'SOA serial' field as read-only
On the WebUI, the SOA serial textbox must be disabled (non-editable)
to prevent the 'ValidationError' message to be shown when this
specific field is manually set.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Carla Martinez
b326b4afae ipatest: Remove warning message for 'idnssoaserial'
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.

Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Carla Martinez
c74c701cac Set 'idnssoaserial' to deprecated
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.

This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Florence Blanc-Renaud
59db0faf21 ipatests: add negative test for otptoken-sync
Scenario:  call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens

The test expects a return code = 1.

Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-29 07:58:44 -04:00
Florence Blanc-Renaud
f1b2d8ab36 ipa otptoken-sync: return error when sync fails
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.

- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.

- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.

The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.

Fixes: https://pagure.io/freeipa/issue/9248

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-29 07:58:44 -04:00
Rob Crittenden
9d9d925b14 Defer creating the final krb5.conf on clients
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.

If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.

This was seen in performance testing of how many simultaneous
client enrollments are possible.

Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.

https://pagure.io/freeipa/issue/9228

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-09-26 08:48:42 +02:00
Florence Blanc-Renaud
7aeb9e5860 ipa-cacert-manage prune: remove all expired certs
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.

To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.

Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-23 09:49:06 +02:00
Carla Martinez
926680ffb2 webui: Show 'Sudo order' column
In the 'Sudo rules' page, the 'Sudo order' column should be visible in the
list so the users can easily see which rules override other rules based on
their order.

Fixes: https://pagure.io/freeipa/issue/9237
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-09-21 10:45:32 +02:00
Scott Poore
04c2b06984 ipatests: add prci definitions for test_sso jobs
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-20 14:54:04 -04:00
Scott Poore
a4da017272 ipatests: add Keycloak Bridge test
Add test code for new bridge server (ipa-tuura) and Keycloak plugin.

Add uninstall functions for create_keycloak.py so that the tests can
be run repeatedly.

Fixes: https://pagure.io/freeipa/issue/9227
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-20 14:54:04 -04:00
Rob Crittenden
36591995ac Fix upper bound of password policy grace limit
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.

Fixes: https://pagure.io/freeipa/issue/9243

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-09-20 14:51:56 -04:00
Stanislav Levin
94835d19b5 x509: Replace removed register_interface with subclassing
python-cryptography 38.0 removed `register_interface` decorator:
pyca/cryptography@f70e334a52

Backward compatibility:
Cryptography haven't changed the interface of `Certificate` since it was
first used by IPA (4.6.0) till cryptography 38.0.

cryptography 38.0 (pyca/cryptography@c1b7307a3e)
added `tbs_precertificate_bytes` attribute.

Fixes: https://pagure.io/freeipa/issue/9160
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-19 14:15:36 -04:00
Carla Martinez
090d4f9e9d Set pkeys in test_selinuxusermap.py::test_misc::delete_record
The test_selinuxusermap.py::test_selinuxusermap::test_misc is failing
because the 'delete_record' function (located in the same file) is passing
incorrect parameters: it should take the 'pkeys' instead of the full
data.

The changes will take the right 'pkeys' parameters in the 'test_misc()'
function.

Fixes: https://pagure.io/freeipa/issue/9161

Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-08-30 16:07:42 +02:00
Jesse Sandberg
fa85301895 Fix ipa-ccache-sweeper activation timer and clean up service file
Added OnActiveSec=12h to start the timer cycle because OnUnitActiveSec setting alone never triggers the timer after boot as there has not been transition between active and inactive state.
Removed [Install] section from sweeper.service as it is not needed

Fixes: https://pagure.io/freeipa/issue/9231
Signed-off-by: Jesse Sandberg <jesse.sandberg@netcode.fi>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-29 18:28:42 +02:00
Alexander Bokovoy
ad8f90f816 ipa-otpd: initialize local pointers and handle gcc 10
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).

Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.

Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.

Fixes: https://pagure.io/freeipa/issue/9230

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-08-29 17:34:20 +02:00
Alexander Bokovoy
2ae316d430 fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.

Fix it by doing two things:

 - force use of canonicalization of an enterprise principal on server
   side, not just specifying that the principal is an enterprise one;

 - recognize that a principal in the whoami()-returned object can have
   aliases and the principal returned by the server in the JSON response
   may be one of those aliases.

Fixes: https://pagure.io/freeipa/issue/9226

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-08-29 17:30:22 +02:00
Endi S. Dewata
06183a061a Remove pki_restart_configured_instance
The pki_restart_configured_instance param is no longer used
by pkispawn so it has been removed.

https://github.com/dogtagpki/pki/blob/master/docs/changes/v11.3.0/Server-Changes.adoc

Signed-off-by: Endi S. Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-08-19 10:19:10 +02:00
Scott Poore
5a225deaa0 ipatests: Rename create_quarkus to create_keycloak
The module installs and configures a Keycloak server and
not just the Quarkus Java framework.  So, renaming to better
reflect what the module is used for.

Fixes: https://pagure.io/freeipa/issue/9225
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-19 09:47:41 +02:00
Rob Crittenden
0468cc6085 Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
c8955a4d0a Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
b6587d3361 doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.

Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Thomas Woerner
77803587d6 DNSResolver: Fix use of nameservers with ports
IPA DNS zone and forwardzone commands allow to use nameservers with ports
as "SERVER_IP port PORT_NUMBER". bind is supporting this syntax, but the
Resolver in dnspython that is used to verify the list of forwarders
(nameservers) is only allowing to have IP addresses in this list. With
dnspython version 2.20 there is a new validator in dns.resolver.BaseResolver
that ensures this.

Refs:
- https://bind9.readthedocs.io/en/v9_18_4/reference.html#zone-statement-grammar
- https://github.com/rthalley/dnspython/blob/master/dns/resolver.py#L1094

ipapython/dnsutil.DNSResolver derives from dns.resolver.Resolver. The setter
for nameservers has been overloaded in the DNSResolver class to split out
the port numbers into the nameserver_ports dict { SERVER_IP: PORT_NUMBER }.
After the setter for nameservers succeeded, nameserver_ports is set.
nameserver_ports is used in the resolve() method of dns.resolver.Resolver.

Additional tests have been added to verify that nameservers and also
nameserver_ports are properly set and also valid.

Fixes: https://pagure.io/freeipa/issue/9158

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 13:49:40 +02:00
Florence Blanc-Renaud
21091c2bc7 gitignore: add install/oddjob/org.freeipa.server.config-enable-sid
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 13:07:03 +02:00
Florence Blanc-Renaud
54d32fcd76 ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.

Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 13:07:03 +02:00
Rob Crittenden
45b351f8c5 upgrades: Don't restart the CA on ACME and profile schema change
There are currently three sets of CA schema changes applied
in ipa-server-upgrade:

* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema

None of these require a restart of the CA to be supported.

There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.

https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.

Related: https://pagure.io/freeipa/issue/9204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 08:51:31 +02:00
Florence Blanc-Renaud
8a415ff985 check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.

Replace with direct boolean comparison.

Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 08:39:06 +02:00
Florence Blanc-Renaud
4ae9c78f59 azure tests: disable TestInstallDNSSECFirst
The test TestInstallDNSSECFirst is failing because of one of its
dependencies (the most likely suspect is the update of openssl-pkcs11).
Disable the test from azure gating until the issue is solved.

Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-08-08 09:53:25 +02:00
Florence Blanc-Renaud
ccb012b402 ipatests: fix the topology for rawhide/test_subids
The test test_integration/test_subids.py::TestSubordinateId
needs a master and a client but the yaml definition for rawhide
and sssd is currently using master_1repl. Replace with
master_1repl_1client to fulfill the requirement.

Fixes: https://pagure.io/freeipa/issue/9217
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-08-08 09:53:25 +02:00
Carla Martinez
42b2607a6f webui: Allow grace login limit
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:

   `ipa pwpolicy-mod --gracelimit=2 global_policy`

Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)

Fixes: https://pagure.io/freeipa/issue/9211

Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-08-05 16:30:18 +02:00
Sumedh Sidhaye
6033d495d1 Additional tests for RSN v3
New Tests include
TestRSNPKIConfig
TestRSNVault

The new tests are just extending existing classes to be run
with random serial numbers enabled

The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`

Added nightly definitions

Related Ticket: https://pagure.io/freeipa/issue/2016

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-04 13:26:00 -04:00
Sudhir Menon
bf4c51266c
ipatests: WebUI: do not allow subid range deletion
This testcase checks that subid added by user admin
cannot be deleted.

Related: https://pagure.io/freeipa/issue/9150

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-08-03 09:33:42 +02:00
David Pascual
8297b74974 ipatest: fix prci checker target masked return code & add pylint
In the yamllint target of makefile, prci_checker result was being masked by echo statement.
Aditionally, prci_checker script has been added to the list of Python sources to be Pylinted.

Addressing comments of recently merged PR:
https://github.com/freeipa/freeipa/pull/6301#discussion_r923163970
https://github.com/freeipa/freeipa/pull/6301#issuecomment-1187037261

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-08-01 09:34:42 -04:00
Sudhir Menon
e3e7c98ac5 ipatests: ipa-client-install --subid adds entry in nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry

subid: nss
Related: https://pagure.io/freeipa/issue/9159

Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files

gating.yaml
nightly_latest.yaml
nightly_latest_selinux.yaml
nightly_latest_testing.yaml
nightly_previous.yaml
nightly_rawhide.yaml

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-01 09:28:30 -04:00
Rob Crittenden
4105fee2cf Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.

Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.

Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.

Fixes: https://pagure.io/freeipa/issue/9206

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-08-01 09:24:40 -04:00
Erik
fc5de8216d
ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.

Related: https://pagure.io/freeipa/issue/8951

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-27 13:34:07 +02:00
Stanislav Levin
e9b232fcf4 ap: Constrain supported docutils
New Sphinx 5.1.0 (Released: Jul 24, 2022) bumped supported docutils
to 0.19:
https://github.com/sphinx-doc/sphinx/pull/10656

But m2r2 doesn't support it yet:
https://github.com/CrossNox/m2r2/issues/52

Thereby, docutils must be constrained to < 0.19.

This should be fixed by m2r2 and after they do it the restriction
can be removed.

Fixes: https://pagure.io/freeipa/issue/9208
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
8542fd3012 ap: Rearrange overloaded jobs
With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
dd094e3889 ap: Disable azure's security daemon
This daemon run clamav which is resource aggressive.
No point to run Windows virus scanner on Ubuntu in Linux-only
environment.

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
Stanislav Levin
0e8bde3175 ap: Raise dbus timeout
With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.

https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description

Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-26 12:36:41 -04:00
David Pascual
3237ade3d2 ipatests: Checker script for prci definitions
This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-07-15 17:09:17 +02:00
Rob Crittenden
dc73813b8a Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-15 16:59:15 +02:00
Armando Neto
436c9d85ee
webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.

Fixes: https://pagure.io/freeipa/issue/9192

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-07-12 11:38:17 -03:00
Florence Blanc-Renaud
e8d34361c7 ipatests: fix SSSD nightly definition
The nightly test test_external_idp requires a topology
with 2 replicas. Fix the definition in nightly_latest_sssd.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-07-12 10:15:21 +02:00